With online fraud on everyone's lips, a secretive but much-buzzed-about startup on Tuesday will unveil technology that one leading security expert says could cut global cyberattacks by half.

Shape Security operates behind locked doors in a bland Mountain View office building, but its founders — including a former high-ranking Pentagon official — have developed a new approach to fighting the kinds of malware attacks that have brought down the White House computer network and cost consumers and e-tailers hundreds of millions of dollars each year in bogus charges.

And they do it by turning hackers' own techniques against them.

“It can be a game-changer,” said Gartner Research vice president Avivah Litan, a security consultant who previously was director of financial systems at the World Bank.

She and other experts say security software is often handicapped because it fights reactively: A virus or bit of malicious software may not be discovered until long after it's begun to work.

“There are armies of 'bots' sitting on user machines that quietly take over for a few unnoticed moments, then go back to sleep,” Shape co-founder Sumit (pronounced “summit”) Agarwal said recently from the company's compact offices.

Advertisement

Those so-called bots, or automated programs, can scour a person's computer for passwords and other information such as birthdates and Social Security numbers. Often, they steal that data from websites the person has visited.

“This problem is bigger today than it's ever been because every American household is wired,” Agarwal said.

An Air Force cyberwarfare veteran and MIT graduate, he spent six years in product management roles at Google (GOOG) before the Obama administration named him deputy assistant secretary of defense.

The federal government is increasingly keen to stop cyberassaults; former Defense Secretary Leon Panetta, in a recent speech in San Jose, said the agency is hit more than 100,000 times each day. Many of those are “distributed denial of service” attacks, in which a network of bots use stolen user IDs to flood a site with billions of clicks.

At the Pentagon, Agarwal got to know another tech refugee: Derek Smith, who had founded security startup Oakley Networks and sold it to defense contractor Raytheon.

Agarwal and Smith came to believe the key to warding off attacks via websites was to change the nature of the sites themselves. So in late 2011, they headed back to Silicon Valley.

When a bot scours a website, the software is looking for telltale fields such as “username” and “password.” Shape's solution: Passing sites through a second server that replaces those fields with constantly changing bits of gobbledygook. The bots can't tell which code to zero in on, but to the user, the website appears unchanged.

Those rapid changes are called “real-time polymorphism,” a technique traditionally used by malware to rewrite its code every time a new machine is infected.

Shape's approach wouldn't stop scams like the massive theft of shopper credit card numbers from Target; that attack wasn't launched through the retailer's website but via malware placed on card-swiping devices in stores.

But what Shape's technology conceivably could do is stop fraudsters from using those stolen card numbers to order things on Amazon.com and other websites. Using stolen cards to buy gift cards or other items, then quickly resell them, is a key strategy behind credit card theft, Agarwal said.

Litan, who's spoken to users of Shape's fledgling service, said it would virtually eliminate malware takeovers of a user's computer and the kinds of denial-of-service attacks that crashed federal websites in 2009 and those of major U.S. banks last year.

Shape's software has been used for the past six months by about a dozen Fortune 200 companies, though the startup isn't identifying them because, Agarwal said, they don't want attention drawn to potential data vulnerabilities.

He did disclose that the software's not cheap: Each contract costs more than $1 million.

Shape first set tongues wagging around Silicon Valley a year ago by landing more than $20 million from some of the venture capital industry's leading security experts — without saying just what the company did.

While Litan reckons Shape's approach would shut down “well over 50 percent of all cyberattacks,” she also warned that large companies might be reluctant to turn over control of their websites to an outside vendor. And Litan believes hackers eventually will find ways to outfox any new technology — a point Agarwal also concedes.

Still, Litan said, “You don't run across something this radical very often.”

MacIntyre says the completed project will be best in Pac-12There were bulldozers, hard hats, mud, concrete trucks, blueprints, mud, cranes, lots of noise and, uh, mud, during the last recruiting cycle when Colorado football coach Mike MacIntyre brought recruits to campus. Full Story

MacIntyre says the completed project will be best in Pac-12There were bulldozers, hard hats, mud, concrete trucks, blueprints, mud, cranes, lots of noise and, uh, mud, during the last recruiting cycle when Colorado football coach Mike MacIntyre brought recruits to campus. Full Story

Most people don't play guitar like Grayson Erhard does. That's because most people can't play guitar like he does. The guitarist for Fort Collins' Aspen Hourglass often uses a difficult two-hands-on-the-fretboard technique that Eddie Van Halen first popularized but which players such as Erhard have developed beyond pop-rock vulgarity.
Full Story